Hackers are scanning for Docker hosts with exposed APIs to use them for cryptocurrency mining. Hackers use Docker images infected with Monero miners and scripts that make use of Shodan to find other vulnerable targets. The malicious Docker images are deployed automatically using a script which “checks hosts with publicly exposed APIs”” and “”uses Docker commands (POST /containers/create) to remotely create the malicious container”” The same malicious campaign was also observed by a security consultant and the Alibaba Cloud Security team.”
Source: https://www.bleepingcomputer.com/news/security/compromised-docker-hosts-use-shodan-to-infect-more-victims/